Blog

2012 Disqus Hack Exposed More Than 17 Million Users

The hits just keep coming, with Disqus being the latest company to issue a breach disclosure. If you’ve never heard of it, Disqus is an incredibly popular, plugin-based comment service for blogs.

Although the breach was only just discovered, it occurred five years ago in July 2012, and impacted more than 17.5 million users.

Evidence of the breach was initially discovered by an independent security researcher named Troy Hunt. It was then reported to the company and disclosed 24 hours later by Jason Yan, the CTO of the company, who had this to say:

“No plain text passwords were exposed, but it is possible for this data to be decrypted (even if unlikely). As a security precaution, we have reset the passwords for all affected users. We recommend that all users change passwords on other services if they are shared.”

Mr. Yan’s advice is excellent, but unfortunately, it highlights a persistent, ongoing problem. Far too many people are still in the habit of using the same password across multiple websites, which means that when one site is breached, it potentially gives the hackers access to all your other accounts that have passwords in common.

It should be noted that since the breach, Disqus has made several upgrades to their security, including implementing even more robust encryption than they’d formerly been using. Again, per Mr. Yan:

“Since 2012, as part of normal security enhancements, we have made significant upgrades to our database and encryption to prevent breaches and increase password security. Specifically, at the end of 2012, we changed our password hashing algorithm from SHA1 to bcrypt.”

The problem is solved for now, but the damage has been done. The best thing you can do at this point is change your password immediately, stop using the same password across multiple websites and be on the alert for phishing emails designed to get you to give up even more information.